Google Analytics and RGPD: what’s at stake in the coming months?

The history of the leader in web analysis

Google Analytics was created in 2005, when the American company acquired Urchin Software Corporation. Following this acquisition, the solution became popular with the general public thanks to its free formula for sites with less than ten million visits per month.

October 2012 sees the launch of Universal Analytics, which will add new components to the analysis offered, enabling the calculations to take into account the new uses that will be crucial in the future: connected phones and objects.

This solution was the benchmark until November 14, 2020, the date of the release of Google Analytics 4.

Whereas Universal Analytics used to base its measurements on sessions, GA4 will now base them on what is known as an “event”, i.e. any interaction a user may have with a site or application. This decision comes in the wake of changing user behavior, with browsing habits shifting from “classic” sites to connected TVs and video game consoles, for example.

On March 16, 2022 Google announced the end of its Universal Analytics solution. Users must switch their accounts to Google Analytics 4 by July 1, 2023.

The transition period for Google Analytics 360, the paid version of the solution, has been extended to October 1, 2023.

Universal Analytics and RGPD, a difficult cohabitation

Historically, Google Analytics has always been controversial in terms of data protection, due to the nature of its operation. Indeed, the collection of usage behavior is done by tracking the user’s IP address. As this IP address is associated with the user’s (approximate) geographical position, this comes into direct conflict with the very principles of the GDPR.

On May 25, 2018, the new European Data Protection Regulation came into force, which notably enabled users to authorize or not the use of cookies enabling Google Analytics to track their behavior.

With this law now in force, Google has decided to add a new feature. September 3, 2020 marks the launch of “consent mode” on several Google tools:

• Retargeting Ads
• Conversions Ads
• Floodlights
• Google Analytics

Put simply, the aim of this mode is to collect user behavior data, by modifying the data collection method, depending on whether or not the user accepts cookies. This mode enables partial compliance with RGPD requirements.

The problems with the RGPD remain very real since on January 13, 2022, the Austrian personal data protection authority, the equivalent of the CNIL in France, decreed that a site dealing with health will no longer be compliant with the regulation, if it uses Google Analytics. Indeed, as soon as a European user visits the site, his or her data is transferred to American servers.

On this same argumentative basis, the CNIL declared on February 10, 2022 the non-compliance with the RGPD regulation of sites that use Google Analytics.

Only one way to use Google Analytics legally is set out by the CNIL in June 2022. You must use a proxyfication server (Proxy) with a data hash. The hashing system will give the data a digital signature without being able to trace it back to the initial data, the aim of this procedure being to avoid sending non-anonymized data to American servers.

Google Analytics 4: the road to compliance?

Following the exposure of its lack of RGPD compliance, Google had no choice but to move towards tools that would respect the personal data processed.

The American giant has promised to comply with a number of regulations thanks to its new version:

• Consent to data processing and collection: this topic concerns the setting of cookies on sites using GA4. As seen above, the RGPD provides for the individual to be given the choice of whether or not to accept cookies that are essential for tracking their data and behavior.
• IP address anonymization: it is now possible to automatically anonymize users’ IP addresses. As mentioned earlier in this article, this configuration means that no link can be made between the data stored and sent, and the user.
• Data retention time: with a maximum of 14 months, compared with 64 months for its predecessor, the length of data retention can be configured. In any case, whatever the duration chosen, you’ll need to be able to justify the reasons for this duration and the essential nature of the data stored, in order to remain within the law.
• The deletion of data relating to a user: as provided for by the RGPD and the CNIL, if a user formulates the request to delete their data, a process for deleting their information is provided for.

Despite these compliance efforts, the CNIL and, more generally, the major European players in the field of data protection, have noted that in order to be anonymized, this data is still transiting via American servers, which is not legal.

What’s more, some of Analytics’ complementary tools, such as Google AdWords, have made no effort to comply. Using these two tools together would render the former’s compliance efforts ineffective.

The use of Google Analytics 4 is therefore not formally prohibited, but it does contain loopholes that may be subject to formal notice by the CNIL.

This formal notice gives GA4 users one month to adopt one of two solutions:

• Uninstall GA4 and replace it with an RGPD-compliant tool. A data migration and parameterization project must be planned in order to get closer to the data collection and analysis that was done previously.
• Google Analytics 4 compliance: this solution reverts to the setup we mentioned earlier, i.e. going through a new server, which will enable personal data to be processed in accordance with what is laid down by the RGPD.

In short, if using the new version of Google Analytics on a site doesn’t tick all the RGPD boxes, it’s best to plan a back-up strategy upstream to avoid having to implement a restructuring project with tight deadlines that can be costly.

While you’re waiting for a Google suite that’s fully compliant with the RGPD, there are alternatives. They enable you to perform web analysis at the right levels. However, they are most often Freemium access, as is the case with Matomo, for example, or AT Internet‘s pay-only version.

Palmer Consulting has worked with a number of solutions on the market, including the two mentioned above. This knowledge of alternative tools enables us to position ourselves more effectively with companies wishing to ensure an effective transition, to comply with European directives as of now, and to anticipate any potential risks of formal notice from the CNIL.

Changes are certainly on the cards in the coming months, if the American company doesn’t want to risk losing part of its European market.

Erwan Chupeau